(Credit:
Dong Ngo/CNET)
Alex Kochis, Microsoft's director of Genuine Windows, posted a blog late Thursday addressing the "leak of a special product key" of Windows 7 RTM (release to manufacturers). This confirmed the rumor on Tuesday that an ISO file of Windows 7 RTM sent to Lenovo that contains a master key--a number used to verify the authenticity of the software--was leaked to the Internet.
According to the blog, "The key is for use with Windows 7 Ultimate RTM product that is meant to be preinstalled by the OEM (original equipment manufacturer) on new PCs to be shipped later this year. As such, the use of this key requires having a PC from the manufacturer it was issued to. We've worked with that manufacturer so that customers who purchase genuine copies of Windows 7 from this manufacturer will experience no issues validating their copy of Windows 7. At the same time we will seek to alert customers who are using the leaked key that they are running a non-genuine copy of Windows. It's important to note that no PCs will be sold that will use this key."
This means the hacked key will still work, though it will likely be identified, presumably when the computer with this version of the hacked Windows 7 OS installed connects to download updates from Microsoft.
Kochis said Windows 7 includes an improved capability to detect activation exploits and it should be able to alert the customer when the leaked version or other hacks are used to install Windows 7 on a PC.
He added, "Our primary goal is to protect users from becoming unknowing victims, because customers who use pirated software are at greater risk of being exposed to malware as well as identity theft. Someone asked me recently--and I think it's worth noting here--whether we treat all exploits equally in responding to new ones we see. Our objective isn't to stop every "mad scientist" that's out there from dabbling; our aim is to protect our customers from commercialized counterfeit software that impacts our customers' confidence in knowing they got what they paid for."
Personally, I don't see what Microsoft can do now that the key and the ISO is out in the wild, other than wait for a system installed with that copy of Windows 7 to connect to its update servers. In the meantime, it can issue another key to OEMs to make sure they don't use they leaked key and hope that consumers will buy its genuine product and, of course, pay the full price for it.
It's safe to say that we probably have to wait for a service pack of the operating system to be sure that this leak is fully addressed. In the meantime, this leaked key could still pose a big problem if the hackers are able to alter the ISO and sell it as counterfeit retailed package of the OS. In this case, customers will only find out that they don't have an genuine copy, if they ever do, when it's too late.
Microsoft only just released final code for Windows 7 to manufacturers and the company is already facing a security risk.
The Windows Genuine Advantage antipiracy system in the Windows 7 Ultimate release to manufacturers (RTM) has reportedly been compromised by some Chinese hackers, according to a variety of Chinese forums, and first reported by Neowin.com.This means the user can fully activate the software offline without connecting to Microsoft's activation server.
The software's RTM code is generally the same as the retail code, which will be available to the public in October. PC makers tend to get the final product with plenty of time in advance of the launch to make their products ready on the launch date.
It must have been a complicated process, but in a nutshell, hackers reportedly used the leaked ISO file to get hold of the activation certificate that Microsoft digitally signed for the original equipment manufacturer, or OEM version of Windows 7. It's rumored that the key that got hacked is one that can be used to activate multiple OEM-branded installations, such as Dell's, HP's, or, of course, Lenovo's.
I am no fan of the activation, (it's a pain when you change computer parts, which I do very frequently) but this is rather upsetting news. I am sure, in no time, you will be able to buy a copy of Windows 7 in China or Vietnam for less than a dollar.
Addressing this, Microsoft released a this statement to CNET News:
We are aware of reports of activation exploits that attempt to circumvent activation and validation in Windows 7, and we can assure customers that Microsoft is committed to protecting them from counterfeit and pirated software. Microsoft strongly advises customers not to download Windows 7 from unauthorized sources. Downloading Windows 7 from peer-to-peer Web sites exposes users to increased risks--such as viruses, Trojans, and other malware and malicious code--that usually accompany counterfeit software. These risks can seriously harm or permanently destroy data and often expose users to identity theft and other criminal schemes.
Despite detailed demonstrations that the security of its Veriface face recognition technology can be manipulated to gain unlawful access, Lenovo is keeping current notebook models equipped with it.
In an e-mail interview with ZDNet Asia, a Singapore-based Lenovo representative said the company has "no plans to pull affected models." However, the PC maker does plan to continue to upgrade the face recognition technology.
The technology's vulnerability was demonstrated in December by the Bach Khoa Internetwork Security (BKIS) center in Hanoi, Vietnam.
At the Black Hat security conference last month, researchers Nguyen Minh Duc and Bui Quang Minh presented a paper (PDF) that detailed Veriface's face authentication and the bypass.
According to the paper, tests were performed on Asus, Lenovo, and Toshiba laptops fitted with 1.3-megapixel cameras. The bypass model illustrated that a person was able to log in to the Windows Vista machines using photos or videos to initiate a face recognition process.
"All the applications tested are of their latest versions and are set to Highest Security Level," the researchers wrote in the paper. The technologies were identified as Asus SmartLogon V1.0.0005, Lenovo Veriface III, and Toshiba Face Recognition 2.0.2.32.
Nguyen and Bui added: "Veriface is in fact the least secure of the (three applications) as we can log into the account using a plain image of the owner without much effort."
Lenovo, its representative noted, offers face recognition technology "as an alternative security option for consumers who would like the convenience of not having to remember yet another password." Within the region, Veriface technology is available in Lenovo's IdeaPad notebooks and Netbooks as well as its IdeaCenter desktops.
He added: "Like all technologies, early adoption reveals initial issues that are improved over time and Veriface, which is only used in our consumer range of notebooks, continues to be upgraded. Our advice to concerned consumers is to take basic safety measures to limit their vulnerabilities--store your notebook securely."
Asus and Toshiba did not respond to similar queries from ZDNet Asia.
Asus, Lenovo and Toshiba are said to be the only three vendors offering face recognition technology in the region. Hewlett-Packard announced last year that HP Labs had developed facial recognition technology in collaboration with Tsinghua University in Beijing. However, a Singapore-based representative confirmed that there are no HP products with face recognition technology in the region.
Vivian Yeo of ZDNet Asia reported from Singapore.
This is me being enrolled by the Y430's Lenovo Veriface III authentication software to be a legitimate user of the computer.
(Credit: Dong Ngo/CBS Interactive)Updated at 1:14 p.m. PST Friday, December 5 with comment from Lenovo.
Editor's note: CNET editor and Crave contributor Dong Ngo is spending the month of December in his homeland of Vietnam and plans to file occasional dispatches chronicling his impressions of how technology has permeated the culture there. Click here for more of Dong's stories from abroad.
HANOI, Vietnam--Regardless of what some people seem to think, we Asians do not all look the same. But according to the current face recognition algorithm used in laptops, our faces are all about as flat as a piece of paper.
That's according to BKIS, the Vietnamese Internetwork Security Center that makes the antivirus software I mentioned in a blog post Monday. At a press conference here Tuesday, the company demonstrated vulnerabilities in laptops' face recognition-based authentication mechanisms that let anyone log in to a computer easily with a "special" photo of the legit owner, even at the highest authentication level.
Using your face as the password to log in to a computer--an alternative to the fingerprint method or the traditional username and password--marks a new trend found in laptops from Lenovo, Asus, and Toshiba. As far as I know, only these three vendors currently offer this technology in their laptops. These computers come with a built-in Webcam that's used to capture and analyze faces.
I've been impressed by this new way to log in and have found it to be so much more convenient than the fingerprint reader of my Dell XPS 1330. The finger scanner is a pain when my finger is wet or dirty. Unfortunately, on Tuesday I discovered that this new and exciting technology may not be such an effective security measure.
I participated in a demonstration on a Lenovo Y430, running Windows Vista, and here's how it panned out:
... Read More- prev
- 1
- next
